Posted by William Charles on May 10, 2016
Credit Cards

Published on May 10th, 2016 | by William Charles

36

Discover To Transition To Chip & PIN Cards

Discover Chairman and CEO David Nelms recently announced that Discover would be transiting from chip + signature to chip + PIN during the Electronic Transactions Association’s TRANSACT 16 meeting in Las Vegas. From a consumers stand point this means that when they make a purchase they will be required to insert their chipped card into the payment terminal and then enter a PIN code, rather than signing their name.

Credit card issuers and merchants have been pushing the transition to chipped cards due to the liability shift that occurred in October of last year, because of the October liability shift last year. The liability shift can be simply explained as follows:

[T]he party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud
losses. – Visa

There are significant advantages to using a PIN over a signature though. For starters consumers are able to use their chip + PIN cards in countries where this is the standard (they are able to sign for these transactions as well, but this can be difficult to explain to cashiers in countries where chip + PIN is the standard. Signature transactions also won’t work for automated kiosks at places like train stations). EMV + PIN also reduces the amount of fraud. According to this white paper total fraud losses on signature based transactions per dollar volume were .13 percent or 13 basis points. PIN-based transactions .035 percent or 3.5 basis points.

One thing that consumers should be aware of is how their zero liability protection works. Typically if an unauthorized transaction is made on your credit card, you’re not responsible for this transaction and will have it refunded. In some cases PIN transactions are specifically excluded from this zero liability protection, as far as I can see all of the major payment networks (Visa, Mastercard, Discover, American Express) no longer exclude PIN transactions, but this could be different at the card issuer level. Zero liability will also not cover you if you haven’t exercised care to safeguard your card and PIN (e.g if your PIN is 0000 or 1234 you usually will not be covered).

Barclaycard is currently the only major credit card issuer that offers chip + PIN cards as standard. At the moment Discover have not released a timeline for their switch to PIN cards. What are your thoughts about the changes? Are you a fan of chip + PIN or is it just one more number to forget?



36
Leave a Reply

avatar
 

  Subscribe  
newest oldest
Notify of

Don’t like it. PINs push the liability onto the cardholder. Zero-liability doesn’t mean anything when the bank says that you didn’t safeguard your PIN.

I had heard that the Fair Credit Billing Act prevents banks from pushing full liability (just a maximum of $50,) onto cardholders even if your PIN is compromised.

Your correct, but under the new law its still zero liability.

did you read this article it says , as far as I can see all of the major payment networks (Visa, Mastercard, Discover, American Express) no longer exclude PIN transactions, but this could be different at the card issuer level.

I travel frequently and have never had an issue with chip & signature. The machine prompts the merchant to get a signature. Regarding zero liability for unauthorized transactions – I don’t see that going away. People are used to and now demand that in their credit products. The negative publicity an issuer would receive by trying to get rid of it, would far outweigh any potential savings. It just wouldn’t be worth it to them – and if by some small chance they did, people would demand regulations be put into place to retain the zero liability. Just ain’t gonna happen.
Regarding the use of 0000 or 1234 – that’s only a simple programming change to eliminate those codes as potential choices.

Chip & Signature is really a kind of a joke. No one ever really looks at the signature. This is a good move and will give everyone better protection from fraud.

One more comment… when is this suppose to happen? They really should have done it in the first place. Considering the amount of time it is taking to roll out the chip cards, I’m not holding my breath.

I’ve also wondered by we (the US) didn’t just shift directly to chip and pin. Why the “Let’s just see how well this works first” mentality?

Pretty much any merchant will tell you that they rarely see customers actually sign their name when making credit card purchases. It’s usually just a scribbly line. It’s not rocket science to duplicate someone’s scribbly line “signature.”

It’ll be nice when travelling overseas, especially since Discover doesn’t charge forex fees.

However, it makes the checkout process that much more painful (with chips already being much slower than magstripes) and would likely cause me to use a different card if the rewards structure was the same. I think this is likely the reason why US banks don’t have PINs (and took so long to issue chips).

The nice thing is that Discover supports Android Pay, allowing me to mitigate this — unless they start to require PINs when paying with Android Pay. The downside is many merchants don’t support it.

The reality is that fraud is much more likely to happen online, and this doesn’t prevent that. It’ll be interesting to see how this effects Discover’s business, however, and I’m sure other card issuers will be watching closely.

I should also mention. Meanwhile, my Discover debit card is still basic magstripe…

I’d expect the opposite to be true for transaction speed. Right now there are multiple comms going back and forth between the POS and VISA etc. during the chip transaction because the authentication is going through VISA. This is why it is so slow (plus US banks have a 1970’s infrastructure). With pin the authentication can be done locally as the pin is encoded in the chip, thus a faster transaction.

POS systems in the US are setup for online PIN. I don’t expect that to change anytime soon.

Encoding pin in the chip or in the card is not a very smart choice anyway. This kinda increases the chance of compromising pin though you might say chip is highly encrypted. Offline pin is what the payment networks were trying to avoid several years ago.

With cryptographic hash values even a compromised chip storage is as secure as an online PIN, only “hackable” by guessing.

I’m also interested to see what happens in restaurants. Will this force restaurants to purchase wireless payment terminals, like those that are common in Europe, and bring them to your table when you’re done your meal?

They should do that anyways

Barclays does NOT issue Chip and Pin cards, they issue Chip and Signature cards but with a PIN backup, ie they are chip and signature 99.9% of the time but will work with PIN in automated Kiosks. There are a few credit unions that issue Chip and Pin cards (UNFCU and First Tech Credit Union).

So what if I have a unique pin and my card is still replicated (progress moves at both ends, hackers just adapt) – will I get stuck with a charge with no right to dispute? That blows.

Not sure I understand why people are associate the liability shift to the consumer. it is a shift of liability from almost exclusively being on the card issuer (your bank) to being shared with the merchant (the company accepting the card).

As far as the PIN goes, I think anything that reduces the cost to these companies is better for consumers. Not every penny saved goes back to the consumers, but it certainly frees up the issuers to come up with better offers, etc. Even though fraud is a faction of a percent, it is a very expensive fraction.

Good news is that no one is replicating the secure layer on a properly implemented EMV card. It’s NP-Hard (computer science speak for it’ll take so long for me to compute it, that we might as well call it forever).

There have already precedents in Europe of “unhackable” chip-n-pin card ##s being stolen and the banks had people stuffed with the unauthorized charges. That is why I’m wary.

The crypto used in EMV is RSA with 1984 bit keys and a variant of triple DES. That means integer factorization is sufficient to break the security, but integer factorization is not known to be NP-hard.

Funny you mention NP-Hard problems. Crypto systems based on NP-Hard problems have a pretty poor track record (Merkle–Hellman springs to mind).

My Suntrust card is Chip + PIN and I find it really comforting to have the added layer of security.

Chip-and-Pin is no doubt the safest, many papers have shown it reduces fraud significantly and it is the main reason it is widely used in other western countries. It sucks that we’ve still to catch up.

Def a good move on Discover’s part, but until mos of our stores’ POS systems process pin transactions, not sure how much of a practical impact this will have for American consumers.

Target is prob the exception of the major US retailers here. Still suffering from 2013 data breach, they implemented chip-and-pin since late last year, even got Amex to re-issue Redbird (Prepaid REDcard) cards as chip-and-pin for new registrations since last year. By the end of June 2016 old non-EMV Redbirds will be automatically invalidated, Amex mailed in chip replacement cards for Redbird holders (more details here: https://goo.gl/Jmbzgm).

I meant Target was still suffering image-wise in 2015 (which translates to $ loss, I’m sure) from their 2013 data breach. When it comes to security, I think Target is among the most secure retailers now…once bitten.

Recently they disallowed changing your email address on your Target.com login. Hopefully as a precaution, not due to a vulnerability (maybe ITs can chime on on this). I asked one of their reps via an online chat if they would change it upon consumer request, he said no, it is a firm policy, you’d have to create a new Target.com account if you want to use a diff email address.

Your writing style is horrendous to read.

What part of it did you find “horrendous?”

Technically, one doesn’t read the writing *style,* but the writing itself. So your attempt to troll just backfired on you. Have a nice day.

Probably, the fact, that he doesn’t, know how to use, commas. I was aggravated as well.

John, I can’t read (or hear) myself from a third-person point of view, so thanks for the feedback. I’d appreciate something more specific so I know what you mean.

I love this. Especially due to the hassle of chip+sig on recent trips to the UK and Australia. Merchants there all seemed befuddled when the terminal told them to obtain a signature from me. And 95% of the time, I had to dig up my passport so they could verify the signature. Having it default to a pin would be much easier.

I use a Barclay card when I travel overseas, specifically for this reason. I only had to use the true chip-and-pin feature twice (the default is chip and signature) but when I did it was extremely useful. The first time I used it to buy train tickets in Europe, from a terminal, and my family and I had just 5 minutes to catch that train. The second time it happened when buying fuel from a gas station in a very remote part of Iceland. No other options were available and the weather was terrible so it would have been a very big pain to try to find an alternative.

Since my Barclay card has a annual fee I’m looking forward to having a non-fee alternative from Discover.

The transition in the US from chip and signature to chip and PIN can’t come soon enough, mostly because it’s harder for a crook to “forge” your PIN than it is to forge your signature.

As for security for US travelers in Europe with American chip cards, I find it awkward to have to sign the receipt. Essentially all US card issuers have their cards default to signature while the client is in Europe. This makes it difficult for ordinary merchants as their clerks have to be trained to understand that the POS is not asking for a PIN, and the clerk has to go out and find a pen to hand to the American client. Worse yet is that having to sign vs. using a PIN marks the client immediately as an American, which could be dicey for Americans in shops staffed with clerks from Mollenbeek or St. Denis, which I ran into more than I expected.

I was disappointed to find last summer that the only places in Europe where I could use my PIN with my Barclaycard or USAA card were railway stations’ ticket machines. I did not use my Chase chip credit cards anywhere as they are not PIN for purchase enabled, so Chase lost out on its potential share of credit card transaction revenue.

I was very happy to be among the first users, back in late 2012, of chip and PIN USAA credit cards then defaulting to PIN, where POS enabled. USAA’s later changing to default signature, following the lead of other US banks, was not at all well received by me or by others who wanted and got one of the first US chip cards. What a true lack of foresight on USAA’s part.

Oh, that magnetic stripe is so easily duplicated, so it has to go soon too.

Wow. Discover enters modern times. Maybe. . . maybe. . . someday Discover’s developers will master the sub-remedial ability to allow customers to login to its website/apps with one login (two cards and one CD account: three usernames, three logins, and developers declare: “yeah. . . too bad for the customers”

Actually, I signed up my Discover banking using my Discover card login back in 2014, and it works with just one login. Maybe you can chat with them to merge them?

Why on Earth aren’t they trying to be ahead of all other US banks / catch up with all the modern world and issue contactless + PIN cards?

Back to Top ↑